backend-ci.yml's `test -z "$(gofmt -l .)"` strict gate (added in
13c21ac11) failed on a backlog of unformatted files. None of the
85 files in this commit had been edited since the gate was added
because no push touched veza-backend-api/** in between, so the
gate never fired until today's CI fixes triggered it.
The diff is exclusively whitespace alignment in struct literals
and trailing-space comments. `go build ./...` and the full test
suite (with VEZA_SKIP_INTEGRATION=1 -short) pass identically.
Update RabbitMQ config and eventbus. Improve secret filter logging.
Refine presence, cloud, and social services. Update announcement and
feature flag handlers. Add track_likes updated_at migration. Rebuild
seed binary.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL
- CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest
- OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS
- CHAT_JWT_SECRET must differ from JWT_SECRET in production
- Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens
- Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010
- Add HLSEnabled and HLSStorageDir to backend config (HLS_STREAMING env)
- Register HLS serving routes (master.m3u8, quality playlist, segments)
behind HLSEnabled feature flag on existing track routes
- Add GetHLSStatus and TriggerHLSTranscode methods to StreamService
for stream server communication
- Update docker-compose (dev, staging, prod) with HLS env vars and
shared hls-data volume between backend and stream-server
- Stream callback already correctly updates stream_manifest_url
SEC-08: If HYPERSWITCH_ENABLED=true in production, startup now fails
unless HYPERSWITCH_WEBHOOK_SECRET is set. This prevents webhook
signature verification from being silently bypassed.
- Add FrontendURL to config (FRONTEND_URL or VITE_FRONTEND_URL)
- OAuth handlers use config instead of os.Getenv
- Update TODOS_AUDIT: mark UUID migration items as resolved
- Add ISSUES_P2_BACKLOG.md for GitHub issues
- Add ROUTES_ORPHANES.md for routes without UI
- Document FRONTEND_URL in .env.example
Add validation in ValidateForEnvironment() to fail startup when
CLAMAV_REQUIRED=false in production. Virus scanning is mandatory
for all file uploads in production.
Phase 1 audit - P1.4
- 1.6: Replace hardcoded JWT secrets in chat server tests with runtime-generated
values (env TEST_JWT_SECRET or uuid-based fallback)
- 1.7: Add validateNoBypassFlagsInProduction() in config; fail startup if
BYPASS_CONTENT_CREATOR_ROLE or CSRF_DISABLED is set in production
Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.6, 1.7
- Add DATABASE_READ_URL config and InitReadReplica in database package
- Add ForRead() helper for read-only handler routing
- Update TrackService and TrackSearchService to use read replica for reads
- Document setup in DEPLOYMENT_GUIDE.md and .env.template
- Deleted apps/web/src/utils/optimisticStoreUpdates.ts (unused file)
- File was unused - no imports found in codebase
- Mutations already use React Query's onMutate pattern
- No TypeScript errors after deletion
- Actions 4.4.1.2 and 4.4.1.3 complete
- Increase IP rate limit from 100 to 200 requests per minute
- Increase IP burst from 10 to 20
- Increase SimpleRateLimiter limit from 100 to 200
- Allows frontend to make multiple requests during initial load (CSRF, state hydration, etc.)
- Can be overridden via RATE_LIMIT_IP_PER_MINUTE and RATE_LIMIT_LIMIT env vars
- Created ValidateRequiredEnvironmentVariables function
- Validates required vars (JWT_SECRET, DATABASE_URL) in all environments
- Production-specific validations: CORS_ALLOWED_ORIGINS required, no wildcard, no DEBUG log level, RabbitMQ URL if enabled
- Integrated validation at startup in NewConfig() to fail-fast if required variables are missing
- Provides clear error messages for missing or invalid environment variables
Files modified:
- veza-backend-api/internal/config/config.go
- VEZA_COMPLETE_MVP_TODOLIST.json
- Added HTTP writer for centralized log collection (Loki-compatible)
- Created AggregationConfig with batch processing and flush intervals
- Integrated with existing zap logger using multi-core approach
- Added environment variables for configuration (LOG_AGGREGATION_ENABLED, LOG_AGGREGATION_ENDPOINT, etc.)
- Added unit tests for aggregation functionality
- Updated config.go to initialize logger with aggregation if enabled
Phase: PHASE-6
Priority: P2
Progress: 111/267 (41.57%)
- Added AWS SDK v2 dependency for S3 support
- Created S3StorageService implementing S3Service interface
- Support for AWS S3 and MinIO (S3-compatible storage)
- Added S3 configuration in config.go with environment variables
- Implemented upload, delete, presigned URL, and public URL methods
- Added unit tests for service validation and URL generation
- Service integrates with existing TrackStorageService
- Enhanced secrets management with environment-aware defaults
- Fixed RabbitMQ URL: no default credentials in production
- Added getRabbitMQURL with environment-aware logic
- Added ValidateRequiredSecrets to validate required secrets
- Added RequiredSecretKeys listing production-required secrets
- Added validation for RabbitMQ URL in production
- All secrets properly managed via environment variables
- No hardcoded secrets in production code
